JP7583000B2 - Computer and data processing method - Google Patents

Description

The present invention relates to technology for encrypting and decrypting user data.

There is a storage system that has the function of encrypting and storing user data to prevent unauthorized reading of the user data from the built-in storage medium. In response to a write command, the storage system with the above-mentioned function encrypts user data input from an external host computer and stores the encrypted user data in the storage medium. In response to a read command, the storage system with the above-mentioned function decrypts the encrypted user data stored in the storage medium and outputs the user data.

If the storage system does not have hardware to support data encryption and decryption, the CPU in the storage system performs encryption of user data associated with write processing and decryption of encrypted user data associated with read processing in accordance with program code consisting of multiple CPU instructions. The higher the encryption and decryption processing performance of the storage system's CPU, the higher the response time for reading and writing user data.

Some CPUs support encryption-specific instructions to improve encryption and decryption processing performance. An instruction set called AES-NI is one example of encryption-specific instructions.

Patent document 1 discloses a technology in which the CPU dispatches a dedicated encryption instruction every cycle, thereby performing independent encryption/decryption in parallel for different data blocks, thereby improving encryption/decryption throughput (see, for example, Figure 4).

Patent document 2 discloses a technology that applies SIMD instructions (instructions that can perform the same processing on multiple data with a single instruction) to stream encryption processing, in which a CPU generates ciphertext data by performing an exclusive OR of plaintext data and a key stream, thereby doubling the performance (see TABLE 3).

To improve the reliability of the information processing device, some storage systems are known that have a function for adding management information called a DIF (Data Integrity Field) to user data so that it can be confirmed that the user data received from the host computer has not been accidentally destroyed or mistaken for other user data when processed. Storage systems with the above-mentioned function generate and check the DIF during write and read processes. If the storage system does not have hardware that supports the generation and checking of the DIF, the CPU included in the storage system generates and checks the DIF according to program code consisting of multiple CPU instructions.

U.S. Pat. No. 8,194,854 U.S. Pat. No. 1,032,0558

In a storage system that has the function of encrypting and storing user data and the function of adding a DIF to the user data, the prior art does not disclose detailed methods for improving the processing performance of the encryption of user data executed by the CPU.

A representative example of the invention disclosed in the present application is as follows. That is, a computer that writes and reads user data including a plurality of data blocks includes a processor, a memory connected to the processor, a storage medium connected to the processor, and a connection interface connected to the processor, the processor has a plurality of registers, receives a write request for the user data, stores the user data written in accordance with the write request in the memory, and performs an encryption process using the plurality of registers to generate encrypted user data including a plurality of encrypted data blocks, adds a first data integrity field including a first error code to each of the plurality of encrypted data blocks included in the encrypted user data, and stores the encrypted user data in the storage medium. In the encryption process, a first process of reading partial data that is a part of the data blocks from a predetermined number of the data blocks and storing the data in a first register, a second process of encrypting the partial data stored in the first register to generate encrypted partial data, and a third process of performing a first operation to calculate the first error code using the encrypted partial data stored in the second register, and storing the result of the first operation in a third register are repeatedly performed.

According to one embodiment of the present invention, it is possible to improve the processing performance of encryption processing. Problems, configurations, and effects other than those described above will become clear from the description of the following embodiment.

FIG. 1 is a diagram illustrating an example of the configuration of a computer system according to a first embodiment. 2 is a diagram showing a format of data handled by the storage system of the first embodiment. 2 is a diagram showing a format of data handled by the storage system of the first embodiment. 2 is a diagram showing a format of data handled by the storage system of the first embodiment. FIG. 2 is a diagram for explaining the specifications of the WSC according to the first embodiment. FIG. 2 is a diagram for explaining the specifications of the WSC according to the first embodiment. FIG. 2 is a diagram for explaining the specifications of the WSC according to the first embodiment. 11 is a flowchart illustrating an example of a write process executed by the storage system of the first embodiment. 11 is a flowchart illustrating an example of a read process executed by the storage system of the first embodiment. FIG. 1 is a diagram illustrating conventional XTS encryption/decryption. FIG. 1 is a diagram illustrating conventional XTS encryption/decryption. FIG. 2 is a diagram illustrating XTS encryption/decryption in the storage system of the first embodiment. FIG. 2 is a diagram illustrating XTS encryption/decryption in the storage system of the first embodiment. FIG. 2 is a diagram illustrating XTS encryption/decryption in the storage system of the first embodiment. 1 is a diagram showing a structure of input data in XTS encryption/decryption using a Vector command executed by the storage system of the first embodiment. FIG. 13 is a diagram showing the structure of output data in XTS encryption/decryption using a Vector command executed by the storage system of the first embodiment. FIG. 11 is a diagram illustrating a method of calculating a CRC in the storage system of the first embodiment. FIG. 11 is a diagram illustrating a method of calculating a CRC in the storage system of the first embodiment. FIG. 11 is a diagram illustrating a method of calculating a CRC in the storage system of the first embodiment. FIG. FIG. 13 illustrates a parallel method for CRC calculation in the storage system of the first embodiment. FIG. 13 illustrates a parallel method for CRC calculation in the storage system of the first embodiment. 11 is a diagram illustrating a method for generating DIFs of four data blocks in parallel in the storage system of the first embodiment. FIG. 11 is a diagram illustrating a method for generating DIFs of four data blocks in parallel in the storage system of the first embodiment. FIG. 11 is a diagram illustrating a method for checking the DIFs of four data blocks in parallel in the storage system of the first embodiment. FIG. 11 is a diagram illustrating a method for checking the DIFs of four data blocks in parallel in the storage system of the first embodiment. FIG. 11 is a diagram illustrating a method for checking the DIFs of four data blocks in parallel in the storage system of the first embodiment. FIG.

One embodiment of the present invention will be described with reference to the drawings. However, the present invention should not be interpreted as being limited to the description of the embodiment shown below. Those skilled in the art will easily understand that the specific configuration can be changed without departing from the concept or spirit of the present invention.

In the configuration of the invention described below, the same or similar configurations or functions are given the same reference symbols, and duplicate explanations are omitted.

The terms "first," "second," "third," and the like used in this specification are used to identify components and do not necessarily limit the number or order.

Figure 1 is a diagram showing an example of the configuration of a computer system in the first embodiment.

The computer system 100 according to the first embodiment includes a host computer 110 and a storage system 120. The host computer 110 and the storage system 120 are connected to each other directly or via a network.

The storage system 120 is an example of a computer that reads and writes data. The storage system 120 has a storage controller 130 and a storage device 140. The storage device 140 is, for example, a hard disk drive (HDD) or a solid state drive (SSD). The storage device 140 may be mounted on the storage controller 130.

The storage controller 130 has one or more front-end interfaces (FE I/F) 131, one or more back-end interfaces (BE I/F) 132, a CPU 133, and a DRAM (Dynamic Random Access Memory) 134. The DRAM 134 is a volatile memory (memory device) that can be read and written in byte units.

In FIG. 1, each hardware element of the storage system 120 is illustrated one by one, but each component may exist multiple times to achieve redundancy, high performance, large capacity, etc.

The storage controller 130 according to the first embodiment provides a logical volume to the host computer 110. The providing method can be as follows:

(Provision method 1) One or more logical volumes (physical logical volumes) are formed from multiple storage devices 140 and provided to the host computer 110.

(Provisioning method 2) The storage controller 130 provides the host computer 110 with a logical volume formed by thin provisioning technology. The logical volume is a virtual volume, and the actual storage area is dynamically allocated.

The host computer 110 requests writing/reading of user data to the logical volume by issuing an I/O command (write command or read command) that specifies the provided logical volume and a location within the logical volume (logical block number, sometimes abbreviated as LBA).

The FE I/F 131 is an interface device for communicating with the host computer 110. The FE I/F 131 has the function of adding information called a DIF (Data Integrity Field) to user data received from the host computer 110. The FE I/F 131 also has the function of inspecting and removing the DIF added to data to be sent to the host computer 110. The DIF is, for example, T10-DIF. T10-DIF is standardized by the American National Standards Institute (ANSI).

The BE I/F 132 is an interface device for communicating with the storage device 140. The BE I/F 132 is, for example, SAS, SATA, NVMe, and Fibre Channel.

The CPU 133 has multiple registers used in write processing/read processing, and executes write processing of user data in response to an I/O command (write command), and executes read processing of user data in response to an I/O command (read command). In a write process, the user data received from the host computer 110 is encrypted, and the encrypted user data is permanently stored in the storage device 140. In a read process, the encrypted user data stored in the storage device 140 is decrypted to user data and sent to the host computer 110. The contents of these write/read processes are explained in detail below.

The CPU 133 is, for example, a third generation Xeon (Xeon is a registered trademark, the same applies below) scalable processor (code name: IceLake-SP), a microprocessor developed for servers by Intel (Intel is a registered trademark, the same applies below).

DRAM 134 stores programs executed by CPU 133 and data handled by the programs. DRAM 134 also includes a cache area. The cache area caches user data input in accordance with an I/O command (write command) received from host computer 110, encrypted user data written to storage device 140, encrypted user data read from storage device 140, and user data output in accordance with an I/O command (read command) received from host computer 110.

When the CPU 133 caches user data input together with an I/O command (write command) in the cache area, the CPU 133 duplicates and stores the user data. If the CPU 133 detects corruption of the cached user data, it performs write processing, etc., using the duplicated user data. This makes it possible to prevent loss of user data.

In addition, in order to prevent loss of encrypted user data due to failure of a storage device 140, the storage system 120 stores the encrypted user data after implementing redundancy based on RAID (Redundant Arrays of Independent Disks) technology. Specifically, when N storage devices 140 (N is an integer equal to or greater than 2) are installed, the CPU 133 evenly distributes the data to be written to (N-1) and records it in each storage device 140, and stores the parity generated by the exclusive OR of the data to be written to each storage device 140 in one storage device 140. This makes it possible to recover data even if one storage device 140 fails. For example, when N=4, the CPU 133 records data D1, D2, and D3 of the same size in three storage devices 140, and records parity P (P=D1+D2+D3: + indicates exclusive OR) generated from the exclusive OR of the data D1, D2, and D3 in one storage device 140. For example, if the storage device 140 in which D2 is recorded fails, the CPU 133 recovers data D2 by the exclusive OR of the parity P, data D1, and data D3.

Figures 2A, 2B, and 2C are diagrams showing the format of data handled by the storage system 120 of Example 1.

The data format 200 shown in FIG. 2A is an example of a format of user data sent together with a write command sent from the host computer 110, or user data sent from the storage system 120 to the host computer 110 by a read command.

User data is made up of one or more user data blocks 201. The size of a user data block 201 is, for example, 512 bytes. The user data shown in FIG. 2 is 2048 bytes of data made up of four user data blocks 201-1, 201-2, 201-3, and 201-4. For example, when the host computer 110 writes or reads 8192 bytes of user data, the user data is made up of 16 user data blocks 201.

The data format 210 shown in FIG. 2B is an example of a format of user data that the storage system 120 caches in the DRAM 134.

The FE I/F 131 of the storage system 120 adds a DIF 202 to the end of each user data block 201 that constitutes the user data. In FIG. 2B, DIFs 202-1, 202-2, 202-3, and 202-4 are added to user data blocks 201-1, 201-2, 201-3, and 201-4, respectively.

The DIF 202 conforms to the T10-DIF standard and is composed of a 2-byte CRC (Cyclic Redundancy Check) 231, a 2-byte ATAG (Application Tag) (0) 232, a 2-byte ATAG (1) 233, and a 4-byte RTAG (Reference Tag) 234.

CRC 231 is a 16-bit error detection code calculated from the 512-byte user data block 201 located before DIF 202. RTAG 234 is an address associated with the 512-byte user data block 201 located before DIF 202. The addresses set in RTAG 234 are set in ascending order from the first user data block 201 of the user data to the last user data block 201. For example, if the address of user data block 201-1 is K (K is an integer), the address of user data block 201-2 is K+1, the address of user data block 201-3 is K+2, and the address of user data block 201-4 is K+3. ATAG(0) 232 and ATA(1) 233 can be used for any purpose. When user data is cached in DRAM 134, ATAG(0) 232 and ATAG(1) 233 are not used, so storage system 120 sets 00h to each of ATAG(0) 232 and ATAG(1) 233.

The storage system 120 can detect the occurrence of an error in a write process/read process by adding a DIF 202 to each user data block 201 of user data stored in the DRAM 134. Specifically, the storage system 120 can detect corruption of a user data block 201 by checking the CRC 231. The storage system 120 can detect a change in the order of the user data blocks 201 by checking the RTAG 234. The DIF check performed when the FE I/F 131 sends user data to the host computer 110 is the check described above.

The data format 220 shown in FIG. 2C is an example of the format of encrypted user data that the storage system 120 stores in the storage device 140. The encrypted user data shown in FIG. 2C is composed of encrypted user data blocks 203-1, 203-2, 203-3, and 203-4, which are generated by encrypting user data blocks 201-1, 201-2, 201-3, and 201-4.

The storage system 120 encrypts each user data block 201 constituting the user data into an encrypted user data block 203 using the XTS (XEX encryption mode with tweak and ciphertext stealing) mode of the AES (Advanced Encryption Standard) algorithm.

AES is a symmetric key encryption algorithm defined as a standard encryption by the National Institute of Standards and Technology (NIST). The size of the AES key is, for example, 256 bits. However, the size of the ASE key does not have to be 256 bits. The XTS mode is a block encryption method for storage devices established in the standard document IEEE 1619. In the following explanation, encryption using the XTS mode of the AES algorithm will be referred to as XTS encryption, and decryption using this mode will be referred to as XTS decryption.

The storage system 120 appends a DIF 204 to each encrypted user data block 203, similar to caching user data.

DIF204, like DIF202, conforms to the T10-DIF standard and is composed of a 2-byte CRC241, a 2-byte ATAG(0)242, a 2-byte ATAG(1)243, and a 4-byte RTAG244.

CRC 241 is a 16-bit error detection code calculated from the 512-byte encrypted user data block 203 located before DIF 204. RTAG 244 is an address associated with the 512-byte encrypted user data block 203 located before DIF 204. The addresses set in RTAG 244 are set in ascending order from the first encrypted user data block 203 of the encrypted user data to the last encrypted user data block 203. When storing encrypted user data in the storage device 140, the storage system 120 sets a code called WSC (write sequence code) in ATAG (0) 242. The specifications of WSC will be explained using FIG. 3. ATAG (1) 243 is not used, so 00h is set.

The storage system 120 can detect the occurrence of a write error or a read error by adding a DIF 204 to each encrypted user data block 203 of the encrypted user data stored in the storage device 140. Specifically, the storage system 120 can detect corruption of the read encrypted user data block 203 by checking the CRC 241. The storage system 120 can detect an error in the address instructed to read to the storage device 140 by checking the RTAG 244. An error in writing encrypted user data to the storage device 140 can be detected by checking the WSC set in the ATAG(0) 242.

In the following description, when there is no need to distinguish between user data block 201 and encrypted user data block 203, they will be referred to as data blocks.

Figures 3A, 3B, and 3C are diagrams explaining the specifications of the WSC in Example 1.

The data format 300 shown in FIG. 3A is an example of a data format of a WSC. A WSC is a 1-byte (8-bit) code stored in ATAG0 (242), and is composed of a 1-bit HEAD flag 301, a 1-bit TAIL flag 302, and a 6-bit SQN (sequence number) 303.

The HEAD flag 301 is a flag that stores a value indicating whether the encrypted user data block 203 to be written to the storage device 140 is the first or not. The TAIL flag 302 is a flag that stores a value indicating whether the encrypted user data block 203 to be written to the storage device 140 is the last or not.

If the encrypted user data block 203 to be written to the storage device 140 is the first, the HEAD flag 301 is set to 1, and if the encrypted user data block 203 to be written to the storage device 140 is the last, the TAIL flag 302 is set to 1. The HEAD flag 301 and TAIL flag 302 of an encrypted user data block 203 that is neither the first nor the last are set to 0. When writing encrypted user data consisting of one encrypted user data block 203, the HEAD flag 301 and TAIL flag 302 are set to 1.

SQN303 stores the generation number of the encrypted user data written to the storage device 140. A different value is used for the generation number each time it is written.

Figure 3B shows an example of WSC settings when writing encrypted user data blocks 203 to addresses 0 to 9 of the storage device 140.

In state 1, encrypted user data consisting of 10 encrypted user data blocks 203 is written. Here, it is assumed that 0x0A is specified as the SQN.

The encrypted user data block 203 written to address 0 is the first, so HEAD 301 is 1 and WSC is 0x8A. The encrypted user data block 203 written to address 9 is the last, so TAIL 302 is 1 and WSC is 0x4A. The WSC of encrypted user data blocks 203 written to other addresses is 0x0A.

In state 2, encrypted user data consisting of five encrypted user data blocks 203 is written to addresses 3 to 7. Here, it is assumed that 0x0B is specified for SQN.

The WSC is updated because data is overwritten at five addresses. The encrypted user data block 203 written to address 3 is the first, so HEAD 301 is 1 and the WSC is 0x8B. The encrypted user data block 230 written to address 7 is the last, so TAIL 302 is 1 and the WSC is 0x4B. The WSC of the encrypted user data blocks 203 written to addresses 4 to 6 is 0x0B.

Table 320 in FIG. 3C shows an example of rules for checking for write errors based on the WSC. When the storage system 120 writes encrypted user data to the storage device 140, it reads the WSC and checks for write errors according to the rules shown in table 320.

In table 320, the following rules are defined:
(R1) If the HEAD/TAIL of the WSC of the own block is 1/0 or 1/1, no check is performed.
(R2) If the HEAD/TAIL of the WSC of the own block is 0/0 or 0/1 and the HEAD/TAIL of the WSC of the previous block is 0/1, no check is performed.
(R3) If the HEAD/TAIL of the WSC of the current block is 0/0 or 0/1 and the HEAD/TAIL of the WSC of the previous block is 0/0, the storage system 120 checks whether the SQN of the WSC of the current block matches the SQN of the WSC of the previous block.
(R4) If the HEAD/TAIL of the WSC of the own block is 0/0 or 0/1 and the HEAD/TAIL of the WSC of the previous block is 1/0, the storage system 120 checks whether the SQN of the WSC of the own block matches the SQN of the WSC of the previous block.
(R5) If the HEAD/TAIL of the WSC of the own block is 0/0 or 0/1 and the HEAD/TAIL of the WSC of the previous block is 1/1, no check is performed.

(R3) and (R4) indicate that if the current block is not the first block and the previous block is not the last block, the SQN of the encrypted user data block 203 is checked for consistency. This allows you to check whether the writing of user data consisting of multiple blocks is successful without interruption. For example, the WSC of the addresses included in the rectangles 311, 312, and 313 in FIG. 3B matches the conditions of (R3) and (R4), so they are checked. If writing to address 5 fails in writing five blocks to addresses 3 to 7, the WSC of address 5 is not updated and remains at 0x0A. This error can be detected by checking the WSC of address 5, as the SQN (0x0A) of address 5 does not match the SQN (0x0B) of address 4. If writing to address 3 fails in writing five blocks to addresses 3 to 7, the WSC of address 3 is not updated and remains at 0x0A. This error can be detected when checking the WSC for address 4 because the SQN (0x0B) does not match the SQN (0x0A) for address 3.

(R1), (R2), and (R5) indicate that if the current block is the first block or the previous block is the last block, the SQN of the WSC of the current block does not need to match the SQN of the WSC of the previous block, so no check is performed.

Figure 4 is a flowchart illustrating an example of a write process executed by the storage system 120 of the first embodiment. In the following description, the user data block 201 that is not XTS encrypted is referred to as a plaintext block, and the user data block 203 encrypted by XTS encryption is referred to as a ciphertext block.

The storage system 120 receives user data along with a write command from the host computer 110 (step S401).

The storage system 120 adds the DIF 202 to the plaintext block that constitutes the user data (step S402). Specifically, the FE I/F 131 calculates a 16-bit error detection code from the plaintext block and sets it as the CRC 231, and also sets the block address as the TRAG 234.

The CPU 133 of the storage system 120 stores the user data with the DIF 202 added in the DRAM 134 (step S403). At this time, the storage system 120 multiplexes the user data and stores it in the DRAM 134 to prevent loss of the user data.

The CPU 133 of the storage system 120 reads a portion of the plaintext block from the DRAM 134 and loads it into the register (step S404).

The CPU 133 of the storage system 120 executes an operation (CRC calculation) to calculate the CRC of the plaintext block using the data loaded into the register, and encrypts the data using XTS encryption (step S405). This generates a portion of the ciphertext block. The encrypted data is stored in the register and also in the DRAM 134.

The CPU 133 of the storage system 120 performs a CRC calculation to calculate the CRC of the ciphertext block using the encrypted data stored in the register (step S406).

The CPU 133 of the storage system 120 determines whether encryption of all plaintext blocks has been completed (step S407).

If encryption of all plaintext blocks has not been completed, the CPU 133 of the storage system 120 returns to step S404 and executes the same process. In this way, the storage system 120 sequentially moves the load source point from the beginning of the plaintext block to the end, encrypting the data sequentially.

When encryption of all plaintext blocks is complete, the CRCs of the plaintext blocks and ciphertext blocks are calculated, and encrypted user data is generated.

The CPU 133 of the storage system 120 compares the calculated CRC of the plaintext block with the CRC 231 included in the DIF 202 to determine whether the user data is corrupted (step S408). Specifically, it is determined whether the CRCs match. If at least one CRC does not match, it is determined that the user data is corrupted.

If the CRC check detects corruption of the user data, the CPU 133 of the storage system 120 recovers the user data using the multiplexed user data (step S410) and then returns to step S404.

If the CRC check does not detect any corruption of the user data, the CPU 133 of the storage system 120 determines whether the user data is corrupted based on the RTAG 234 included in the DIF 202 (step S409). Specifically, it is determined whether the addresses are in ascending order. If the addresses are not in ascending order, it is determined that the user data is corrupted.

If corruption of user data is detected by inspection of RTAG234, the CPU 133 of the storage system 120 recovers the user data using the multiplexed user data (step S410) and then returns to step S404.

If no corruption of user data is detected by checking the RTAG 234, the CPU 133 of the storage system 120 appends the DIF 204 to each ciphertext block (step S411). Specifically, the 16-bit error detection code calculated from the ciphertext block is set to the CRC 241, the WSC described in FIG. 3 is set to ATAG0 (242), and the address of the ciphertext block is set to the RTAG 234.

The CPU 133 of the storage system 120 writes the encrypted user data with the DIF 204 added to the storage device 140 (step S412). At this time, the CPU 133 writes the encrypted user data divided into N-1 equal parts and the parity generated by RAID technology to multiple storage devices 140. This concludes the description of the write process.

Figure 5 is a flowchart illustrating an example of a read process executed by the storage system 120 of Example 1.

When the CPU 133 of the storage system 120 receives a read command from the host computer 110, it reads the encrypted user data with the DIF 204 added from the storage device 140 and stores it in the DRAM 134 (step S501).

The CPU 133 of the storage system 120 loads a portion of the ciphertext block from the DRAM 134 into the register (step S502).

The CPU 133 of the storage system 120 executes an operation (CRC calculation) to calculate the CRC of the ciphertext block using the data loaded into the register, and decrypts the data by XTS decryption (step S503). This generates a portion of the plaintext block. The decrypted data is stored in the register and also in the DRAM 134.

The CPU 133 of the storage system 120 uses the decrypted data stored in the register to perform an operation (CRC calculation) to calculate the CRC of the plaintext block (step S504).

The CPU 133 of the storage system 120 determines whether decryption of all ciphertext blocks has been completed (step S505).

If decryption of all ciphertext blocks has not been completed, the CPU 133 of the storage system 120 returns to step S502 and executes the same process. In this way, the load source point is moved sequentially from the beginning to the end of the ciphertext block, and the data is decrypted sequentially.

When all ciphertext blocks have been decrypted, the CRCs of the ciphertext blocks and plaintext blocks have been calculated, and user data has been generated.

The CPU 133 of the storage system 120 compares the calculated CRC of the ciphertext block with the CRC 241 included in the DIF 204 to determine whether the encrypted user data is corrupted (step S506). That is, it is determined whether reading or writing the encrypted user data has failed. Specifically, it is determined whether the CRCs match. If at least one CRC does not match, it is determined that the encrypted user data is corrupted.

If the CRC check detects corruption of the encrypted user data, the CPU 133 of the storage system 120 reads the parity from the storage system 120 and recovers the encrypted user data (step S509), and then returns to step S502.

If the CRC check does not detect any corruption of the encrypted user data, the CPU 133 of the storage system 120 determines whether the encrypted user data is corrupted or not based on the WSC included in the DIF 204 (step S507). In other words, it is determined whether the read or write of the encrypted user data has failed. Specifically, a check is performed according to table 320 shown in FIG. 3C.

If corruption of the encrypted user data is detected by the WSC inspection, the CPU 133 of the storage system 120 reads the parity from the storage system 120 and recovers the encrypted user data (step S509), and then returns to step S502.

If the WSC inspection does not detect corruption of the encrypted user data, the CPU 133 of the storage system 120 determines whether the encrypted user data is corrupted or not based on the RTAG 234 included in the DIF 204 (step S508). That is, it is determined whether reading or writing the encrypted user data has failed. Specifically, it is determined whether the addresses are in ascending order. If the addresses are not in ascending order, it is determined that the encrypted user data is corrupted.

If corruption of the encrypted user data is detected by inspection of RTAG234, the CPU 133 of the storage system 120 reads the parity from the storage system 120 and recovers the encrypted user data (step S509), and then returns to step S502.

If no corruption of user data is detected by checking the RTAG 234, the CPU 133 of the storage system 120 appends the DIF 202 to each plaintext block (step S510). Specifically, a 16-bit error detection code calculated from the plaintext block is set in the CRC 231, and the address of the plaintext block is set in the RTAG 234.

The CPU 133 of the storage system 120 stores the user data with the DIF 202 added in the DRAM 134 (step S511).

The storage system 120 sends the user data to the host computer 110 (step S512). At this time, the FE I/F 131 inspects the DIF and removes the DIF from the user data. This completes the read process.

Figures 6A and 6B are diagrams explaining conventional XTS encryption/decryption.

Figure 6A shows the procedure for XTS encryption. In XTS encryption, a 512-byte plaintext block is encrypted in 16-byte chunks. First, (E1) an exclusive-OR is calculated between a 16-byte tweak and a part of the plaintext block. Next, (E2) encryption is performed based on the AES encryption algorithm. Finally, (E3) an exclusive-OR is calculated between the encryption result and the tweak to generate a 16-byte ciphertext element. A 512-byte ciphertext block is generated by performing the process cycle of (E1), (E2), and (E3) 32 times.

Tweak is changed every time 16 bytes of data is encrypted. Also, Tweak is a different value for each 512-byte block.

In the AES algorithm (E2), encryption is performed using 15 encryption round keys (128 bits). These round keys are generated by applying a prescribed expansion process (Key Expansion) to a 256-bit encryption key. First, (E2-1) AddRoundKey process is performed, then (E2-2) four processes of SubBytes, ShiftRows, MixColumns, and AddRoundKey are repeated 13 times, and finally (E2-3) three processes of SubBytes, ShiftRows, and AddRoundKey are performed. In the AddRoundKey process, which is performed 15 times, encryption round keys 0 to 14 are used.

Each of the above processes can be associated with the following CPU instructions. The exclusive OR of data and Tweak corresponds to the XOR instruction. The AddRoundKey process corresponds to the exclusive OR (XOR) of the previous process result and the encryption round key as a CPU instruction. The four processes in (E2-2) correspond to the AESENC instruction. In other words, the AESENC instruction needs to be executed 13 times. The three processes in (E2-3) correspond to the AESENCLAST instruction. The AESENC and AESENCLAST instructions are implemented as part of a dedicated encryption instruction set called AES-NI (AES New Instructions) in microprocessors that Intel has commercialized since around 2010.

Figure 6B shows the procedure for XTS decryption. In XTS decryption, a 512-byte ciphertext block is decrypted in 16-byte chunks. First, (D1) an exclusive-OR is calculated between a 16-byte tweak and a part of the encrypted block. Next, (D2) decryption is performed based on the AES algorithm. Finally, (D3) an exclusive-OR is calculated between the decryption result and the tweak to generate a 16-byte plaintext element. A 512-byte plaintext block is generated by executing (D1), (D2), and (D3) 32 times.

Tweak is changed every time 16 bytes of data are decrypted. Also, Tweak is a different value for each 512-byte block.

In the AES decryption algorithm (D2), decryption is performed using 15 decryption round keys (128 bits). These round keys are generated by applying a prescribed expansion process (Key Expansion) to a 256-bit encryption key. The 256-bit encryption key is the same as the encryption key used in encryption. First, (D2-1) AddRoundKey processing is performed, then (D2-2) four processes of InvShiftRows, InvSubBytes, AddRoundKey, and InvMixColumns are repeated 13 times, and finally (D2-3) three processes of InvShiftRows, InvSubBytes, and AddRoundKey are performed. In the AddRoundKey processing, which is performed 15 times, decryption round keys 0 to 14 are used.

Each of the above processes can be associated with a CPU instruction as follows. The exclusive OR of data and Tweak corresponds to the XOR instruction. The AddRoundKey process corresponds to the exclusive OR (XOR) of the previous process result and the decryption round key. The four processes in (D2-2) correspond to the AESDEC instruction. In other words, the AESDEC instruction needs to be executed 13 times. The three processes in (D2-3) correspond to the AESDECLAST instruction. The AESDEC and AESDECLAST instructions are implemented as part of AES-NI, as above.

Figures 7A, 7B, and 7C are diagrams explaining XTS encryption/decryption in the storage system 120 of Example 1.

The CPU 133 is a third-generation Xeon scalable processor or the like, and supports AES-NI, as well as vectorized versions of the AESENC, AESENCLAST, AESDEC, and AESDECLAST instructions (VAESENC, VAESENCLAST, VAESDEC, and VAESDECLAST instructions).

A Vector instruction is an instruction that can perform the same operation on multiple pieces of data in parallel in one execution. It is also called a SIMD (Single Instruction/Multiple Data) instruction. A Vector instruction uses a 512-bit (64-byte) register called a Zmm register to perform the same operation on four pieces of 128-bit (16-byte) data. The operation result is also stored in the Zmm register. The CPU 133 uses 32 Zmm registers (Zmm0 register to Zmm31 register). The CPU 133 also supports Vectorized instructions for instructions that perform general microprocessor operations (addition, subtraction, multiplication, exclusive OR, shift, comparison, etc.).

The CPU 133 uses these Vector instructions to perform XTS encryption/decryption in parallel. Specifically, it encrypts/decrypts four data blocks (512 bytes) in parallel.

Figure 7A shows parallel XTS encryption of four plaintext blocks by CPU 133.

The CPU 133 loads 16 bytes of data from each of the four plaintext blocks (512 bytes) stored in the DRAM 134 into the Zmm register. A total of 64 bytes of data is stored in the Zmm register.

The CPU 133 executes (P1) a Vector XOR instruction to calculate the exclusive OR of the data stored in the Zmm register and the value of the four tweaks of each plaintext block. Next, the CPU 133 executes (P2) a Vector XOR instruction, thirteen VAESENC instructions, and a VAESENCLAST instruction to perform XTS encryption of the four plaintext blocks in parallel. Finally, the CPU 133 (P3) calculates the exclusive OR of the result of the calculation (P2) and the value of the four tweaks. This generates four 16-byte ciphertext elements simultaneously.

The ciphertext elements are stored sequentially from the Zmm register to the DRAM 134. Four ciphertext blocks (512 bytes) are generated by executing the process cycles of (P1), (P2), and (P3) multiple times. Note that the encryption round keys 0 to 14 used in (P2) are common to each plaintext block.

Figure 7B shows parallel XTS decryption of four ciphertext blocks by CPU 133.

The CPU 133 loads 16 bytes of data from each of the four ciphertext blocks (512 bytes) stored in the DRAM 134 into the Zmm register. A total of 64 bytes of data is stored in the Zmm register.

The CPU 133 executes (P4) a Vector XOR instruction to calculate the exclusive OR of the data stored in the Zmm register and the value of the four tweaks of each ciphertext block. Next, the CPU 133 executes (P5) a Vector XOR instruction, thirteen VAESDEC instructions, and a VAESDECLAST instruction to perform XTS decryption of the four ciphertext blocks in parallel. Finally, the CPU 133 (P6) calculates the exclusive OR of the result of the calculation (P5) and the value of the four tweaks. This generates four 16-byte plaintext elements simultaneously.

The plaintext elements are stored sequentially from the Zmm register to the DRAM 134. Four plaintext blocks (512 bytes) are generated by executing the process cycles of (P4), (P5), and (P6) multiple times. Note that the decryption round keys 0 to 14 used in (P5) are common to each ciphertext block.

Figure 7C shows how to optimize the execution order of the above four vectorized AES instructions.

VAES* in Figure 7C is replaced with VAESENC, VAESENCLAST, VAESDEC, and VAESDECLAST.

The arithmetic circuits used in these instructions each have a four-stage pipeline structure 731, and the number of cycles required to complete processing is four. When data moves from the Nth stage to the (N+1)th stage of the pipeline circuit, the Nth stage can accept the next data. Therefore, when four VAES* instructions are executed in a row, data can be supplied to the pipeline in four consecutive cycles, improving processing efficiency. Based on this concept, when the CPU 133 loads 16 bytes from each of the four data blocks into the Zmm registers in the encryption shown in FIG. 7A and the decryption shown in FIG. 7B, the CPU 133 reserves four Zmm registers and loads 16 bytes x 4 four times in advance. Then, the CPU 133 executes four VAES* instructions consecutively for the four Zmm registers, improving the efficiency of pipeline processing. Hereinafter, a set of data processed by four consecutive VAES* instructions is called a Group.

Figure 8 is a diagram showing the structure of input data for XTS encryption/decryption using the Vector command executed by the storage system 120 of Example 1.

In parallel execution of XTS encryption/decryption of four data blocks, the Group shown in FIG. 7C is made up of eight Groups, Group 0 to 7. In other words, the procedure of "executing four VAES* instructions consecutively on four Zmm registers" is executed eight times in one execution of parallel processing of XTS encryption/decryption of four data blocks.

The four 64-byte data (16 bytes x 4) that make up one Group are loaded into the Zmm0 to Zmm3 registers, respectively. For example, the data loaded into the Zmm0 register is the 64-byte data enclosed by the dashed line 810. Note that the number of the Zmm register to which the data is loaded is just an example, and other register numbers may also be used.

An 8-byte DIF is added to the end of each data block of user data or encrypted user data stored in DRAM 134. Since the DIF checks of the four data blocks are performed in parallel, the DIF is loaded into one Zmm register. In Figure 8, the DIFs added to the four data blocks are loaded into the Zmm8 register.

The Zmm register can hold four 16-byte data items. However, since DIF is 8 bytes, it is loaded into the Zmm register with 8-byte intervals between each. Note that the number of the Zmm register into which DIF is loaded is just an example, and other register numbers may be used.

The addresses of the four data blocks input simultaneously to the XTS encryption/decryption process are consecutive in ascending order: 4N, 4N+1, 4N+2, 4N+3 (N is an integer). For example, if the size of the user data to be written/read is 128 KB (256 blocks), the XTS encryption/decryption of the four data blocks must be performed in parallel 64 times.

Figure 9 is a diagram showing the structure of output data in XTS encryption/decryption using the Vector command executed by the storage system 120 of Example 1.

Groups 0 to 7 in Figure 9 correspond to the output positions when the results of XTS encryption/decryption of the data of Groups 0 to 7 in Figure 8 are stored in DRAM 134. The positional relationship of the output destination of the results of XTS encryption/decryption is the same as that of the input source. In other words, when the input block start position is X and the output block start position is Y, the result of XTS encryption/decryption of data at position X+P, which is P (P is 0 or greater) away from the start of the input block, is output to position Y+P.

The results of XTS encryption/decryption of one Group are held in four registers, Zmm4 to 7, and the four 64-byte data (16 bytes x 4) are stored in positions that follow this rule. For example, the 64 bytes of data enclosed by dashed line 910 is the result of XTS encryption/decryption of the 64 bytes of data enclosed by dashed line 810 in Figure 8, and is stored in the Zmm4 register. Note that the numbers of these Zmm registers from which they are stored are merely examples, and other register numbers may be used.

An 8-byte DIF is stored at the end of each data block of user data or encrypted user data stored in DRAM 134. Since the generation of DIFs for the four blocks is performed in parallel, the DIF is read from one Zmm register. In Figure 9, the DIF is read from Zmm9.

The DIF stored in the Zmm9 register is stored with 8-byte intervals. Note that the number of the Zmm register from which the DIF is stored is just an example, and other register numbers may be used.

The addresses of the four data blocks to which the results of the XTS encryption/decryption process are output simultaneously are consecutive in ascending order, as in Figure 8, and are 4N, 4N+1, 4N+2, and 4N+3 (N is an integer).

The parallel processing of XTS encryption/decryption of four data blocks described above using Figures 7 to 9 is applied in step S405 of Figure 4 and step S503 of Figure 5.

Figures 10A, 10B, and 10C are diagrams explaining the CRC calculation method in the storage system 120 of Example 1.

First, the theory of CRC calculation will be explained with reference to FIG. 10A. In general, the CRC of binary data M of any length corresponding to a binary polynomial M(x) is defined by equation (1).

Here, deg represents the degree of the polynomial, P(x) represents the polynomial that defines the CRC algorithm, and the symbol "." represents carry-less multiplication. For a 16-bit CRC algorithm, P(x) is a polynomial of degree 16. The CRC can be calculated as the remainder polynomial when a large degree polynomial M(x) defined over a Galois field GF(2) is divided by the CRC polynomial P(x).

Figure 10A shows how a 16-bit CRC is calculated from a typical 512-byte (4096-bit) block in storage system 120. Binary polynomial division can be performed efficiently if there are CPU instructions that can perform carry-less multiplication efficiently.

Figures 10B and 10C show a method of CRC calculation using the PCLMULQDQ instruction, which can perform carry-less multiplication of up to 64 bits by 64 bits. The PCLMULQDQ instruction is included in microprocessors that Intel has commercialized since around 2010.

Figure 10B shows a method for shortening the CRC calculation of 512 bytes (4096 bits) of binary data to a CRC calculation of 128 bits of binary data. The number of bits of the binary data is reduced by 128 by one shortening process. The relationship between the binary polynomial Mk(x) after k shortening processes and the polynomial Mk+1(x) obtained by one further shortening process is given by equation (2).

Here, M0(x) = M(x). H(x) represents a polynomial consisting of the upper 64 bits of the binary data represented by Mk(x), and L(x) represents a polynomial consisting of the 64 bits following the upper 64 bits of the binary data represented by Mk(x). Gk(x) represents a polynomial consisting of the remaining data excluding the upper 128 bits of the binary data represented by Mk(x). T represents the number of bits of the remaining data. The symbol "+" represents a bitwise exclusive OR.

The PCLMULQDQ instruction multiplies the 64-bit values indicated by H(x) and L(x) by a constant to obtain two 128-bit values, and then calculates the exclusive OR of these values with the remaining data indicated by Gk(x), thereby reducing the number of bits of binary data subject to CRC calculation by 128. By performing this shortening process 31 times, the CRC calculation of 512 bytes (4096 bits) of binary data is reduced to the CRC calculation of the 128-bit binary data indicated by M31(x).

Figure 10C shows how to perform the CRC calculation (the final calculation in Figure 10B) on the 128-bit binary data represented by M31(x).

First, the CPU 133 multiplies the upper 64-bit value by a constant using the PCLMULQDQ instruction to obtain an 80-bit value (1031), and calculates the exclusive OR of this value and the lower 64-bit value, thereby reducing the number of bits of the data subject to the CRC calculation to 80. Next, the CPU 133 multiplies the upper 32-bit value by a constant using the PCLMULQDQ instruction to obtain a 48-bit value (1032), and calculates the exclusive OR of this value and the lower 48 bits of the 80-bit value (1031), thereby reducing the number of bits of the data subject to the CRC calculation to 48. The result is designated as R. Finally, the CPU 133 calculates a 16-bit CRC from the 48-bit R based on an algorithm called Barrett Reduction. Specifically, the CPU 133 performs the calculations of equations (3), (4), (5), and (6) in that order.

Here, R(x) represents a polynomial made up of R, Floor represents the operation of leaving terms of degree 0 or higher of x from the polynomial, and the symbol "+" represents bitwise exclusive OR. The 16-bit value represented by C(x) is the desired CRC. In this way, Barrett Reduction also uses two carry-less multiplications to which the PCLMULQDQ instruction can be applied.

The CPU 133 supports the PCLMULQDQ instruction, and also supports the VPCLMULQDQ instruction, which is a vectorized version of the PCLMULQDQ instruction.

The CPU 133 uses the VPCLMULQDQ instruction to perform CRC calculations on four data blocks in parallel. Specifically, it performs CRC calculations on four 512-byte data blocks in parallel.

Figures 11A and 11B are diagrams showing a parallel method for CRC calculation in the storage system 120 of the first embodiment. This method is applied to the CRC calculation in steps S405 and S406 in Figure 4 and steps S503 and S504 in Figure 5.

Figure 11A shows a method for shortening binary data (corresponding to the entire process in Figure 10B) in parallel processing of CRC calculations of four data blocks by the CPU 133.

Zmm register 1111 is a register that holds 16 bytes of data corresponding to four data blocks, which are components of the input data for encryption/decryption or the output data for encryption/decryption in the parallel processing of XTS encryption/decryption of four data blocks described using Figures 7 to 9. Specifically, in the case of input data for XTS encryption/decryption, it indicates the Zmm0 register, Zmm1 register, Zmm2 register, or Zmm3 register, and in the case of output data for XTS encryption/decryption, it indicates the Zmm4 register, Zmm5 register, Zmm6 register, or Zmm7 register.

The present invention performs parallel shortening of the data subject to CRC calculation using the data held in Zmm register 1111 for XTS encryption/decryption. The 16 bytes of data in Zmm register 1111 correspond to a 128-bit value consisting of two 64-bit values indicated by H(x) and L(x) in FIG. 10B.

Zmm register 1112 is a register that holds 128-bit binary data of four data blocks obtained during or after the shortening process. Specifically, it indicates the Zmm10 register in the case of CRC calculation of input data for XTS encryption/decryption, and it indicates the Zmm9 register in the case of CRC calculation of output data for XTS encryption/decryption.

First, CPU 133 (PP1) executes the VPCLMULQDQ instruction to multiply the upper 64 bits of the 16 bytes of data in Zmm register 1111 by the same constant. Four 128-bit data are output as the calculation results. Next, CPU 133 (PP2) executes the VPCLMULQDQ instruction to multiply the lower 64 bits of each 16 bytes of data in Zmm register by the same constant. Four 128-bit data are output as the calculation results. CPU 133 (PP3) calculates the exclusive OR of these two results and Zmm register 1112, and stores the result again in Zmm register 1112. The processes (PP1) to (PP3) correspond to one shortening process.

When the next 16 bytes of data are stored in Zmm register 1111 during parallel processing of XTS encryption/decryption of four data blocks, CPU 133 repeats the shortening process shown in (PP1) to (PP3). CPU 133 executes the shortening process 31 times, and when the last 16 bytes of data of the block (i.e., the fourth of Group 7) are stored in Zmm register 1111, CPU 133 calculates the exclusive OR of the value of Zmm register 1111 and Zmm register 1112, and stores the result in Zmm register 1112 again.

Figure 11B shows the method of the final calculation (final processing in Figure 10B) in the parallel processing of CRC calculation of four block data by CPU 133.

Zmm register 1112 holds 128-bit binary data used in the final calculation of four data blocks. In the present invention, the final CRC calculation is performed in parallel using the data held in this Zmm register 1112. Here, the parallel final calculation 1121 is implemented by replacing the CPU instruction used in the final calculation of FIG. 10B with the corresponding Vector instruction. That is, the XOR instruction is replaced with the Vector XOR instruction, and the PCLMULQDQ instruction is replaced with the VPCLMULQDQ instruction. Similarly, each instruction constituting Barrett Reduction is replaced with the corresponding Vector instruction. The result of the final CRC calculation is stored in Zmm register 1112. Specifically, in the case of CRC calculation of input data of XTS encryption/decryption, Zmm10 register is indicated, and in the case of CRC calculation of output data of XTS encryption/decryption, Zmm9 register is indicated. The results of the four CRC calculations are stored in the first 16 bits of each of the 16 bytes in the Zmm register 1112. Note that when the CRC calculations are completed, the remaining portion of each of the 16 bytes (112 bits) is unused.

Figures 12A and 12B are diagrams illustrating a method for generating DIFs in parallel for four data blocks in storage system 120 of Example 1.

Figure 12A shows how the CPU 133 adds 1 byte (8 bits) of WSC in parallel to the end of each CRC in the Zmm9 register that holds four CRCs calculated in parallel from the output data of XTS encryption/decryption using the method shown in Figure 11.

As explained with reference to FIG. 3, the WSC to be added is such that HEAD 301 of the leading block is 1, HEAD 301 of the non-leading block is 0, TAIL 302 of the tail block is 1, TAIL 302 of the non-tail block is 0, and the SQN of all data blocks is a common 6-bit value. A Zmm11 register is prepared to hold a 512-bit pattern (however, 00h is set to each of the 8 bits of ATAG(1) 233 and 243) including the WSC based on this setting rule, and this is overwritten only in the 8-bit portion following each CRC in the Zmm9 register. For example, a Vectorized MOV instruction with bit mask is used for the overwriting. As a result, four pairs of CRC and WSC are stored in the Zmm9 register.

For example, if the size of the user data to be written/read is 128 KB (256 blocks), the parallel processing of adding WSCs must be performed 64 times. In the first addition, 1 is set to HEAD 301 of the WSC in the DIF of the first block, and in the 64th addition, 1 is set to TAIL 302 of the WSC in the DIF of the last block. 0 is set to the other HEAD 301 and TAIL 302.

Figure 12B shows how the CPU 133 adds 4-byte RTAGs 234, 244 in parallel to the end of each ATAG(1) 233, 243 in the Zmm9 register.

The RTAGs 234, 244 to be added are the addresses of the four data blocks arranged in ascending order. A Zmm12 register is prepared to store a 512-bit pattern including the RTAGs 234, 244 based on this setting rule, and this is overwritten only in the 4-byte portion following each ATAG(1) 233, 234 of the Zmm9 register. For example, an instruction that is a vectorized version of a bit-masked MOV instruction is used for the overwriting. As a result, four DIFs (i.e., a set of CRC, WSC, and RTAG) are stored in the Zmm9 register. This corresponds to the Zmm9 register that holds the four DIFs to be added in FIG. 9. A DIF is added to each end of the four output data blocks by a storage instruction from this Zmm9 register to DRAM 134.

The parallel DIF generation method described above is applied to S411 in FIG. 4 and S509 in FIG. 5.

Figures 13A, 13B, and 13C are diagrams illustrating a method for parallel inspection of the DIFs of four data blocks in the storage system 120 of Example 1.

In Figures 13A, 13B, and 13C, the Zmm8 register is a Zmm register that stores the DIFs (four in total) that follow each data block of the input data for XTS encryption/decryption in Figure 8.

Figure 13A shows a method for checking four CRCs in parallel using pairs in the Zmm8 register.

Using the method shown in FIG. 11, the Zmm10 register holds four CRCs calculated in parallel from the input data for XTS encryption/decryption. Each of these CRCs is checked in parallel to see if it matches each CRC stored in the Zmm8 register. For this check, for example, an instruction that is a vectorized version of a bit-masked COMPARE instruction is used. If all four comparison results match, the CRC check is successful. This check method is applied to step S408 in FIG. 4 and step S506 in FIG. 5.

Figure 13B shows a method for testing four WSCs in parallel using Zmm8 registers.

The lower 48 bytes of the Zmm13 register hold the contents of the Zmm8 register shifted 16 bytes to the right, and the upper 16 bytes hold the DIF of the fourth block (i.e., address 4N+3) previously inspected. The SQN of each of these WSCs is checked in parallel to see if it matches the SQN of the WSC in the Zmm8 register. For this inspection, for example, an instruction that is a vectorized version of the COMPARE instruction with a bit mask is used.

However, the SQN of a WSC that does not meet the conditions (R3) or (R4) shown in table 320 in FIG. 3C is not inspected. In this case, for example, the mask parameter of the COMPARE instruction is partially set to zero.

After checking the WSC, the lower 16 bytes including the DIF of the fourth block in the Zmm8 register are saved to a register for the next WSC check. As a result, if all valid SQN comparisons (up to four) result in a match, the WSC check is successful. In this way, by holding the WSC shifted by one block in the Zmm13 register, four SQN comparisons between the current WSC and the previous WSC can be performed simultaneously by executing one Vector COMPARE command. This check method is applied to step S507 in Figure 5.

For example, if the size of the user data to be written/read is 128 KB (256 blocks), then 64 parallel checks of the WSC of the four encrypted data blocks must be performed. The lower 16 bytes of the Zmm8 register, including the DIF of the fourth block, are saved during the first through 63rd checks, and are transferred to the upper 16 bytes of the Zmm13 register during the second through 64th checks. Nothing is transferred to the upper 16 bytes of the Zmm13 register during the first check, but because the first WSC is not checked, this location may contain an invalid value.

Figure 13C shows a method for testing four RTAGs in parallel using Zmm8 registers.

The Zmm14 register holds four addresses arranged in ascending order. Each of these addresses is checked in parallel to see if it matches the corresponding RTAG in the Zmm8 register. For this check, for example, an instruction that is a vectorized version of a bit-masked COMPARE instruction is used. As a result, if all four addresses match, the RTAG check is successful. This check method is applied to step S409 in FIG. 4 and step S508 in FIG. 5.

In Figures 12 and 13, the numbers of the Zmm registers used to inspect/generate DIF (register Zmm11, register Zmm12, register Zmm13, and register Zmm14) are merely examples, and other register numbers may be used.

As described above, the CPU 133 of the storage system 120 to which this invention is applied can execute XTS encryption/decryption, CRC calculation, DIF generation, and DIF checking in parallel during write/read processing by using the 512-bit Zmm register and Vector instructions. Furthermore, by following the above-described method of using the Zmm register, the number of loads/stores between the Zmm register and the DRAM 134 is kept to a minimum, minimizing overhead cycles other than data operation cycles.

When the size of the user data to be written/read is 2048U bytes (U is an integer), it is necessary to perform U times of parallel write/read processing of four blocks, but the data reception in step S401, the data write in step S412, the data read in step S501, and the data transmission in step S512 may be performed all at once instead of being divided into U times.

In addition, the present invention may use a 256-bit Ymm register that holds two pieces of processing data instead of a 512-bit Zmm register that holds four pieces of processing data. In that case, similar to the method described above, by applying a Vector instruction to the Ymm register, XTS encryption/decryption, CRC calculation, DIF generation, and DIF checking can all be processed in two blocks in parallel.

The present invention has the effect of enabling faster execution of write processing, in which user data received from a host computer 110 is encrypted and stored in a storage device, and read processing, in which encrypted user data stored in a storage device is decrypted and sent to the host computer 110, than conventional methods.

One embodiment of the present invention has been described above, but this is merely an example for the purpose of explaining the present invention, and is not intended to limit the scope of the present invention to only this embodiment. In other words, the present invention can be implemented in various other forms.

110 host computer 120 storage system 130 storage controller 131 FE I/F
132 BE I/F
133 CPU
134 DRAM
140 Storage device

Claims (21)

A computer that writes and reads user data including a plurality of data blocks, comprising:
a processor, a memory connected to the processor, a storage medium connected to the processor, and a connection interface connected to the processor;
The processor,
A plurality of registers are included.
receiving a request to write the user data;
storing the user data written in accordance with the write request in the memory;
performing an encryption process using the plurality of registers to generate encrypted user data including a plurality of encrypted data blocks;
storing two or more first data integrity fields in a first register;
performing in parallel a setting process for setting a first address indicating a storage location of the encrypted data block in each of the two or more first data integrity fields stored in the first register;
adding a first data integrity field, the first address being set to each of the plurality of encrypted data blocks included in the encrypted user data;
storing the encrypted user data on the storage medium ;
1. A computer comprising: 2. The computer of claim 1,
A first generation number representing a generation of writing of the data block can be set in the first data integrity field,
a first data integrity field storing means for storing a first generation number of the encrypted data block in each of the first data integrity fields stored in the first register, the first generation number being set in the first data integrity field in parallel; 2. The computer of claim 1,
The first data integrity field includes a first error code. 3. The computer of claim 2,
The processor,
receiving a request to read the encrypted user data;
reading from said storage medium said encrypted user data specified by said read request and storing said encrypted user data in said memory;
performing a decryption process for decrypting the encrypted user data using the plurality of registers;
storing two or more second data integrity fields in a second register;
performing in parallel a setting process for setting a second address indicating a storage location of the encrypted data block in each of the two or more second data integrity fields stored in the second register;
adding a second data integrity field, in which the second address is set, to each of the plurality of data blocks included in the decrypted user data, and storing the data in the memory;
1. A computer comprising: 5. The computer of claim 4,
A second generation number representing a generation of writing of the data block can be set in the second data integrity field,
a second data integrity field storing means for storing a second generation number of the data block in each of the two or more second data integrity fields stored in the second register, the second generation number being set in the second data integrity field in parallel; 6. The computer of claim 5,
The processor,
performing a setting operation in parallel using a SIMD instruction to set each of the two or more first data integrity fields stored in the first register to the first address;
executing, in parallel, a setting process for setting the first generation number in each of the two or more first data integrity fields stored in the first register using the SIMD instruction;
performing a setting operation in parallel using the SIMD instruction to set the second address in each of the two or more second data integrity fields stored in the second register;
a setting process for setting the second generation number in each of the two or more second data integrity fields stored in the second register in parallel using the SIMD instruction. 5. The computer of claim 4,
The second data integrity field includes a first error code. A computer that writes and reads user data including a plurality of data blocks, comprising:
a processor, a memory connected to the processor, a storage medium connected to the processor, and a connection interface connected to the processor;
The processor,
A plurality of registers are included.
receiving a request to write the user data;
storing the user data written in accordance with the write request in the memory;
performing an encryption process using the plurality of registers to generate encrypted user data including a plurality of encrypted data blocks;
performing a first test process using the plurality of registers to detect corruption of the user data;
storing the encrypted user data on the storage medium;
a first data integrity field including a first error code is added to each of the plurality of data blocks included in the user data;
In the encryption process,
a first process of reading partial data, which is a part of the data blocks, from a predetermined number of the data blocks and storing the partial data in a first register;
a second process of encrypting the partial data stored in the first register and storing the encrypted partial data in a second register;
a third process of executing a first operation for generating the first error-correcting code by using the partial data stored in the first register, and storing a result of the first operation in a third register;
is executed repeatedly,
The first inspection process includes:
reading said first data integrity field of a predetermined number of said data blocks into a fourth register;
determining whether the user data read from the memory is corrupted by comparing the first error code stored in the third register with the first error code included in the first data integrity field stored in the fourth register;
23. A computer comprising: 9. The computer of claim 8,
the first data integrity field includes a first address indicating a storage location of the data block;
The first inspection process includes:
reading the first addresses of a predetermined number of the data blocks into a fifth register;
determining whether the user data read from the memory is corrupted by comparing the first address stored in the fifth register with the first address included in the first data integrity field stored in the fourth register;
23. A computer comprising: 10. The computer of claim 9,
The processor,
receiving a request to read the encrypted user data;
reading from said storage medium said encrypted user data specified by said read request and storing said encrypted user data in said memory;
performing a decryption process for decrypting the encrypted user data using the plurality of registers;
performing a second checking process using the plurality of registers to detect corruption of the encrypted user data;
storing said user data in said memory;
a second data integrity field including a second error code is added to each of the plurality of encrypted data blocks included in the encrypted user data;
In the decoding process,
an eighth process of reading partial encrypted data, which is a part of the encrypted data block, from a predetermined number of the encrypted data blocks and storing the partial encrypted data in a sixth register;
a ninth process of storing the partial data obtained by decrypting the partially encrypted data stored in the sixth register in a seventh register;
a tenth process of performing a second operation for generating the second error code by using the encrypted partial data stored in the sixth register, and storing a result of the second operation in an eighth register;
is executed repeatedly,
The second inspection process includes:
reading said second data integrity field of a predetermined number of said encrypted data blocks into a ninth register;
determining whether the encrypted user data read from the storage medium is corrupted by comparing the second error code stored in the eighth register with the second error code included in the first data integrity field stored in the ninth register;
23. A computer comprising: 11. The computer of claim 10,
the second data integrity field includes a second address indicating a storage location of the encrypted data block;
The second inspection process includes:
reading, into a tenth register, the second addresses corresponding to a predetermined number of the encrypted data blocks;
determining whether the encrypted user data read from the storage medium is corrupted by comparing the second address contained in the second data integrity field stored in the ninth register with the second address stored in the tenth register;
23. A computer comprising: 12. The computer of claim 11,
the second data integrity field includes a second generation number representing a generation of writing of the data block;
The second inspection process includes:
reading, into an eleventh register, the second generation numbers corresponding to a predetermined number of the encrypted data blocks;
determining whether the encrypted user data read from the storage medium is corrupted by comparing the second generation number included in the first data integrity field stored in the ninth register with the second generation number stored in the eleventh register;
23. A computer comprising: 13. The computer of claim 12,
The processor executes processing on the plurality of data blocks and the plurality of encrypted data blocks in parallel using SIMD instructions. 1. A computer-implemented data processing method for writing and reading user data including a plurality of data blocks, comprising:
the computer includes a processor, a memory connected to the processor, a storage medium connected to the processor, and a connection interface connected to the processor;
The processor has a plurality of registers;
The data processing method includes:
receiving a request by the processor to write the user data;
storing, by the processor, in the memory, the user data to be written in accordance with the write request;
performing an encryption process using the plurality of registers to generate encrypted user data including a plurality of encrypted data blocks;
The processor executes a test process using the plurality of registers to detect corruption of the user data;
the processor appending a first data integrity field including a first error code to each of the plurality of encrypted data blocks included in the encrypted user data;
storing, by the processor, the encrypted user data on the storage medium;
Including,
In the encryption process,
a first process of reading partial data, which is a part of the data blocks, from a predetermined number of the data blocks and storing the partial data in a first register;
a second process of encrypting the partial data stored in the first register and storing the encrypted partial data in a second register;
a third process of performing a first operation for calculating the first error code by using the encrypted partial data stored in the second register, and storing a result of the first operation in a third register;
is executed repeatedly,
The inspection process includes:
reading said first data integrity field of a predetermined number of said data blocks into a fourth register;
determining whether the user data read from the memory is corrupted by comparing the first error code stored in the third register with the first error code included in the first data integrity field stored in the fourth register;
13. A data processing method comprising: A computer that writes and reads user data including a plurality of data blocks, comprising:
a processor, a memory connected to the processor, a storage medium connected to the processor, and a connection interface connected to the processor;
The processor,
A plurality of registers are included.
receiving a request to write the user data;
storing the user data written in accordance with the write request in the memory;
performing an encryption process using the plurality of registers to generate encrypted user data including a plurality of encrypted data blocks;
appending a first data integrity field including a first error code to each of the plurality of encrypted data blocks included in the encrypted user data;
storing the encrypted user data on the storage medium;
In the encryption process,
a first process of reading partial data, which is a part of the data blocks, from a predetermined number of the data blocks and storing the partial data in a first register;
a second process of encrypting the partial data stored in the first register and storing the encrypted partial data in a second register;
a third process of performing a first operation for calculating the first error code by using the encrypted partial data stored in the second register, and storing a result of the first operation in a third register;
is executed repeatedly,
A first address indicating a storage location of the encrypted data block may be set in the first data integrity field,
The processor,
reading the first error code for a predetermined number of the encrypted data blocks into a fourth register;
generating the first data integrity field by appending to the first error code stored in the fourth register the first address of the encrypted data block to which the first error code is to be appended;
A first generation number representing a generation of writing of the data block can be set in the first data integrity field,
The processor generates the first data integrity field by adding the first generation number of the encrypted data block to which the first error code is added to the first error code stored in the fourth register. 16. The computer of claim 15,
The processor,
receiving a request to read the encrypted user data;
reading from said storage medium said encrypted user data specified by said read request and storing said encrypted user data in said memory;
performing a decryption process for decrypting the encrypted user data using the plurality of registers;
adding a second data integrity field including a second error code to each of the plurality of data blocks included in the decoded user data, and storing the second data integrity field in the memory;
In the decoding process,
a fourth process of reading partial encrypted data, which is a part of the encrypted data blocks, from a predetermined number of the encrypted data blocks and storing the partial encrypted data in a fifth register;
a fifth process of decrypting the partial encrypted data stored in the fifth register and storing the partial data in a sixth register;
an eighth process of performing a second operation for calculating the second error code by using the partial data stored in the sixth register, and storing a result of the second operation in a seventh register;
A computer characterized in that: 17. The computer of claim 16,
A second address indicating a storage location of the encrypted data block may be set in the second data integrity field,
The processor,
reading the second error codes of a predetermined number of the data blocks into an eighth register;
generating the second data integrity field by appending to the second error code stored in the eighth register the second address of the data block to which the second error code is to be added. 18. The computer of claim 17,
A second generation number representing a generation of writing of the data block can be set in the second data integrity field,
The processor generates the second data integrity field by adding the second generation number of the data block to which the second error code is added to the second error code stored in the eighth register. 20. The computer of claim 18,
The processor executes processing on the plurality of data blocks and the plurality of encrypted data blocks in parallel using SIMD instructions. 1. A computer-implemented data processing method for writing and reading user data including a plurality of data blocks, comprising:
the computer includes a processor, a memory connected to the processor, a storage medium connected to the processor, and a connection interface connected to the processor;
The processor has a plurality of registers;
The data processing method includes:
receiving a request by the processor to write the user data;
storing, by the processor, in the memory, the user data to be written in accordance with the write request;
performing an encryption process using the plurality of registers to generate encrypted user data including a plurality of encrypted data blocks;
storing two or more first data integrity fields in a first register by the processor;
a step of executing, in parallel, a setting process by the processor, setting a first address indicating a storage location of the encrypted data block in each of the two or more first data integrity fields stored in the first register;
the processor appending a first data integrity field, the first address being set to each of the plurality of encrypted data blocks included in the encrypted user data;
storing, by the processor, the encrypted user data on the storage medium;
13. A data processing method comprising: 1. A computer-implemented data processing method for writing and reading user data including a plurality of data blocks, comprising:
a processor, a memory connected to the processor, a storage medium connected to the processor, and a connection interface connected to the processor;
The processor has a plurality of registers;
The data processing method includes:
receiving a request by the processor to write the user data;
storing, by the processor, in the memory, the user data to be written in accordance with the write request;
performing an encryption process using the plurality of registers to generate encrypted user data including a plurality of encrypted data blocks;
the processor appending a first data integrity field including a first error code to each of the plurality of encrypted data blocks included in the encrypted user data;
storing, by the processor, the encrypted user data on the storage medium;
Including,
In the encryption process,
a first process of reading partial data, which is a part of the data blocks, from a predetermined number of the data blocks and storing the partial data in a first register;
a second process of encrypting the partial data stored in the first register and storing the encrypted partial data in a second register;
a third process of performing a first operation for calculating the first error code by using the encrypted partial data stored in the second register, and storing a result of the first operation in a third register;
is executed repeatedly,
A first address indicating a storage location of the encrypted data block may be set in the first data integrity field,
The processor,
reading the first error code for a predetermined number of the encrypted data blocks into a fourth register;
generating the first data integrity field by appending to the first error code stored in the fourth register the first address of the encrypted data block to which the first error code is to be appended;
A first generation number representing a generation of writing of the data block can be set in the first data integrity field,
The data processing method, characterized in that the processor generates the first data integrity field by adding the first generation number of the encrypted data block to which the first error code is added to the first error code stored in the fourth register.

Images